6 Best WordPress Security Authentication Plugins

It doesn’t take much for your digital life to be totally destroyed, as Wired’s Mat Honan discovered (check it out, it’s an eye-opening read).

Remembering usernames and passwords can be a real pain in the backside, so it’s no surprise most people use the same information across several accounts, such as email, social media and even banking. But if one account’s password is hacked and cracked, that security leak can put your other accounts in danger.

If you manage a WordPress site, or even several sites for clients, beefing up the overall security of a site is a no-brainer. Most users know how to strengthen passwords, but a tougher way to crack down on brute force is two-step authentication. Even if a hacker guesses your username and password, they will not be able to login to your site without a code or token, which is usually connected to your smartphone.

In this round-up, we’ll look at some of the top authentication plugins available for WordPress.

Google Authenticator

The Google Authenticator plugin is probably the most popular security authentication tool available for WordPress. This plugin gives you two-factor authentication using the Google Authenticator app for iPhone, Android and Blackberry.

Once installed and activated, the plugin’s settings will appear in User > Your Profile. From there, you can set a secret key or use a QR code. You will then need to download the free Google Authenticator app on your smartphone and enter the secret key or QR code so you can link the app to your WordPress site. Once that’s all set up, any time you login to your site you will need to open the app on your phone and enter the provided authenticator key before the timer runs out.

This is a great plugin if you want to easily increase login security on your site.

Clef

I have to say, Clef is fantastic for a free plugin. This plugin and app combo allows you to replace usernames and passwords on your WordPress site with your smartphone.

This is how it works: Download the app directly from the Apple iTunes or Google Play stores, then download, install and activate the Clef plugin from the WordPress Plugin Repository. When you set up the smartphone app for the first time you create a profile on your phone. Clef uses that profile to generate a new digital signature each time you want to login to your site. Rather than login with a password, your login screen will be replaced with the “Clef Wave,” which you will need to sync with another Clef Wave on your phone. The smartphone app will then grant you an hour-long session to use your site unless you increase the session time on your phone.

Two-Factor Authentication - Clockwork SMS

Clockwork SMS offers two-factor authentication using SMS, so you don’t necessarily need a smartphone to use this plugin. However, while the plugin is free, you do need to spend cash to send SMS messages to your phone each time you want to login to your site.

After installing and activating the plugin you will need to get an API key from the Clockwork site.

While this plugin is helpful for non-smartphone users, it does cost money.

You will need to download and install Duo’s plugin and app, and also create an account on the Duo Security website to obtain security keys.

The next time you login to your site, you will be directed to another login page where you can choose how you would like to authenticate. There are multiple ways you can authenticate, including using the mobile app, one-time passcodes generated on the app, one-time passcodes delivered via SMS, phone callback to any mobile or landline phone, and one-time passcodes generated by an OATH-compliant hardware token. I prefer to use Duo Push, which sends a message to your phone and opens the Duo app, allowing you to approve or deny a login request.

This plugin/app is a great way to keep track of who logs into your site and when.

OpenID

The OpenID plugin allows you to login to your site using an OpenID. If you use online services such as Google+, Yahoo, Flickr, WordPress.com, you probably already have an OpenID.

Once installed, this plugin adds new options to Users > Your OpenIDs and Settings > OpenID. You can add OpenID accounts in the Users section so you can log in using your social accounts.

The only problem with this plugin is that you can still login to your WordPress with your usual login details or your OpenID, so it doesn’t really offer an increased level of security like the other plugins in this list.

Authy

Authy offers a quick and easy way to add two-factor authentication to your site.

Just download the Authy plugin from the WordPress Plugin Repository, install the Authy smartphone app and sign up for an Authy account. After you’ve installed and activated the plugin, enter the API key from your account and choose which roles you would like the authentication to apply to. Then you will need to enable authentication for each of your users by adding their cellphone numbers.

The plugin works by texting a token to your phone when you attempt to login to your site. Once you’ve entered the token, you can successfully login.

This plugin actually has more features, is more stable and secure. For instance, a one time password can’t be used twice to avoid data interception. If someone intercept your HTTP data and get the password, the attacker can’t use it.

Admins have more control over their user: force them to use the two factor authentication, revoke an account…

The latest update introduced recovery code feature: you don’t have your phone with you? You can use a unique recovery code instead.

…perhaps he doesn’t need one, like me, so doesn’t need to buy into the hefty monthlies to have one…!! Too much of the world revolves around ‘smart’ phones.
There should be an option to receive emails to confirm…if the plugins can send texts or connect to mobile apps then surely an email feature isn’t too much to ask for.
Sad that we need such security in the first place.

I’ve been using Clef for a bit now, and I found out that you get the option to login using Clef/your phone or to use the normal login.
So it is possible to work with both kinds at the same time (with no conflicts between the options), without being forced to use one or the other.

I find the question from @steve_keller interesting, whether personal preference or economic ones, what if some members don’t have access to a smartphone/cellphone (or don’t want to “link” it), it would be possible for them to login or by having this security measure they get left out?

Personally, I’m using a solution from the list (Clef looks quite impressive), but perhaps some clients will want/need that no phone is required.

PS: Weird though, on this times to know someone that doesn’t have a mobile phone by choice.

I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.

Obviously, There are other things system admins should be putting in place, Like using a password manager, for usernames and passwords, (different for every site.) Hiding the login address, having a htaccess password for the directory wp-admin. A great one is to setup a blanket blacklist on any ip address entering admin as the username. (None of this three strikes your out. You get one chance with me. Its pretty hard to type it in wrong if you have a password manager). And a recent one that has worked wonders for me is the blocking every country except my own from accessing the back-end. Sure I’ll get the occasional hacker from my own country but far more manageable.

Remember your system is only as strong as your weakest link, If your clients are not using a password manager, then make sure your system forces them to use strong passwords, and also forces them to make a new password every month or so, and no repeats.

I like Duo Two-Factor Authentication. Your Duo Security account can be used in a variety of ways. Not only does this service protect by blogs, but also my Lastpass account, etc. Quite impressed with the implementation.

I was looking for a two-factor auth some time ago so I tested a whole bunch of those plugins and ended up sticking with Rublon (which wasn’t mentioned in this article). It’s the easiest to set up (install the plugin and scan a QR code) and hassle free on a day to day basis. Just scan a QR code once and then you can log in to all your sites just entering your password.

I’d like to share another recently launched plugin which is https://wordpress.org/plugins/miniorange-2-factor-authentication/. It is easy to setup. It uses mobile authentication.Just download the miniOrange app and scan the qr-code and you are done.There are multiple features in the plugin.Like if your phone is offline,then you can login into your account by soft-token feature. Another one is that if you forgot or lost your phone,then you can still logged into your account by OTP over EMAIL feature. You can enable the plugin for admin and other users separately just by checking the checkbox.

If you have any feedback regarding this plugin or need any other additional requirement,I’d like to hear.